There are four ways to establish trust between a KMS and vCenter Server. Different KMS vendors require different ways.
Java examples for these four ways follow.
- Upload your Root CA Certificate to the KMS. Obtain it manually and upload with the self-signed call.
- Upload a self-signed vCenter Certificate to the KMS.
- Have vCenter Server generate a certificate signing request (CSR), which the KMS signs and returns.
- Download a security certificate and private key generated by the KMS to vCenter Server.
CryptoManager Java program to add KMS and set default cluster
package com.vmware.general; import com.vmware.common.annotations.Action; import com.vmware.common.annotations.Option; import com.vmware.common.annotations.Sample; import com.vmware.connection.ConnectedVimServiceBase; import com.vmware.vim25.CryptoKeyId; import com.vmware.vim25.CryptoKeyResult; import com.vmware.vim25.CryptoManagerKmipServerCertInfo; import com.vmware.vim25.KeyProviderId; import com.vmware.vim25.KmipServerInfo; import com.vmware.vim25.KmipServerSpec; import com.vmware.vim25.ManagedObjectReference; import com.vmware.vim25.RuntimeFaultFaultMsg; /** * CryptoManager. Demonstrates uses of the CryptoManager API. Parameters: * url [required] : web service url, for example https://10.9.8.7/sdk * username [required] : username for the authentication * password [required] : corresponding password * Command line to run CryptoManager code: * run.bat com.vmware.general.CryptoManager ^ * --url webserviceurl --username name --password pass ^ * --kmsname kms --kmsip ipaddr --kmsclusterid providerId */ @Sample(name = "CryptoManager", description = "Demonstrates uses of the CryptoManager API") public class CryptoManager extends ConnectedVimServiceBase { private ManagedObjectReference cryptoManager = null; private KmipServerSpec kmipSpec = null; private String kmsName; private String kmsIp; private int kmsPort = 5696; // default private String kmsClusterId; public void initCryptoManager() throws RuntimeFaultFaultMsg { if (serviceContent != null) { cryptoManager = serviceContent.getCryptoManager(); if (cryptoManager == null) { throw new RuntimeFaultFaultMsg("CryptoManager could not be obtained", null); } } else { throw new RuntimeFaultFaultMsg("ServiceContent could not be obtained", null); } } public void registerKmipServer() throws RuntimeFaultFaultMsg { KmipServerInfo serverInfo = new KmipServerInfo(); // Create KMS info serverInfo.setName(kmsName); // Set the name of your KMS here serverInfo.setAddress(kmsIp); // Set the IP addr of your KMS serverInfo.setPort(kmsPort); // Set KMS port, if different from default KeyProviderId providerId = new KeyProviderId(); // Set the name of KMS cluster here providerId.setId("KMScluster"); kmipSpec = new KmipServerSpec(); kmipSpec.setInfo(serverInfo); // KMS spec with server and cluster ID kmipSpec.setClusterId(providerId); vimPort.registerKmipServer(cryptoManager, kmipSpec); // Register server } public void trustKmip() throws RuntimeFaultFaultMsg { // Get KMS certificate CryptoManagerKmipServerCertInfo certInfo = vimPort.retrieveKmipServerCert( cryptoManager, kmipSpec.getClusterId(), kmipSpec.getInfo()); // Upload retrieved certificate to vCenter Server and trust it vimPort.uploadKmipServerCert( cryptoManager, kmipSpec.getClusterId(), certInfo.getCertificate()); } public void establishTrust() throws RuntimeFaultFaultMsg { // Make KMS trust vCenter Server by uncommenting and calling one of these lines // - establishTrustUsingSelfSignedCert() - see Example 12-2 for source code // - establishTrustUsingSignedCsr() - see Example 12-3 for source code // - establishTrustUsingCertAndKey() - see Example 12-4 for source code trustKmip(); // Now make the vCenter Server trust KMS } public void setDefaultKmipCluster() throws RuntimeFaultFaultMsg { vimPort.markDefault(cryptoManager, kmipSpec.getClusterId()); // Mark cluster as default } public void generateNewKey() throws RuntimeFaultFaultMsg { CryptoKeyResult keyResult = vimPort.generateKey(cryptoManager, kmipSpec.getClusterId()); CryptoKeyId keyId = keyResult.getKeyId(); // Generate new key for encryption } @Action public void action() throws RuntimeFaultFaultMsg { initCryptoManager(); registerKmipServer(); establishTrust(); setDefaultKmipCluster(); generateNewKey(); } @Option(name = "kmsname", description = "Name of the KMS", required = true) public void setKMSName(String name) { this.kmsName = name; } @Option(name = "kmsip", description = "IP address of the KMS", required = true) public void setKMSIp(String ip) { this.kmsIp = ip; } @Option(name = "kmsport", description = "KMS port", required = false) public void setKMSPort(String port) { this.kmsPort = Integer.parseInt(port); } @Option(name = "kmsclusterid", description = "KMS cluster Id", required = true) public void setKMSClusterId(String clusterId) { this.kmsClusterId = clusterId; } }
Trust with self-signed certificate or Root CA certificate
This example method uploads a self-signed vCenter certificate, or the Root CA certificate, to the KMS.
public void establishTrustUsingSelfSignedCert() throws RuntimeFaultFaultMsg { // Generate self-signed cert, or obtain the Root CA certificate String selfSignedCert = vimPort.generateSelfSignedClientCert( cryptoManager, kmipSpec.getClusterId()); // Follow steps for KMS to trust self-signed or Root CA cert, update vCenter to use it vimPort.updateSelfSignedClientCert( cryptoManager, kmipSpec.getClusterId(), selfSignedCert); }
Trust with CSR then downloading KMS signed certificate
This example method generates a CSR and downloads the KMS signed certificate onto vCenter Server.
public void establishTrustUsingSignedCsr() throws RuntimeFaultFaultMsg { // Generate a Certificate Signing Request String csr = vimPort.generateClientCsr(cryptoManager, kmipSpec.getClusterId()); String signedCert = null; // Follow steps for your KMS to sign CSR and get the signedCert to update on vCenter vimPort.updateKmsSignedCsrClientCert( cryptoManager, kmipSpec.getClusterId(), signedCert); }
Trust by downloading KMS certificate and private key
This example method downloads a certificate and private key generated by the KMS to vCenter Server.
public void establishTrustUsingCertAndKey() throws RuntimeFaultFaultMsg { String certFromKms = null; String privateKeyKms = null; // Follow steps for KMS to generate certificate and private key (certFromKms, privateKeyKms) vimPort.uploadClientCert( cryptoManager, kmipSpec.getClusterId(), certFromKms, privateKeyKms); }